Communication with processes
Access Tokens
access tokens are often used to describe the security context of a process or thread
Tokens often include information in relation to the user account identity and privileges relating to the specific processes or thread
when a user authenticates to a system, their password is verified against a security database, and if properly authenticated, they will be assigned an access token
Every time a user interacts with a process, a copy of this token will be presented to determine their privilege level
Enumerating network services
Most common way of interacting with processes is through network sockets (DNS, HTTP, SMB, etc)
The
netstatcommand will display any active UDP or TCP connection there giving us a better idea of what services are listening on which ports both locally or internally
Displaying Active Network connections
netstat -anothe main thing we want to look within Active Network Connections are entries listening on the local loop back address
127.0.0.1
::1examples of priv esc via running processes
Named Pipes
The other way processes communicate with each other is through Named Pipes
What are named pipes?
Pipes are essentially files stored in memory that get cleared out after being read.
Pipes are used for communication between two applications or processes using shared memory
example of a named pipe
\\.pipename\\examplepipeserver
Windows systems uses a client-server implementation for pipe communication, In this type of implementation, the process that creates a named pipe is the server, and the process communicating with the named server is the client.
Named pipes can communicate using
half-duplexor a one way channelEvery connection to a named pipe server results in the creation of a new named pipe. These all share the same pipe name but communicate using different data buffers
Listing names pipes with pipelist (cmd)
pipelist.exe /accepteulaListing named pipes in powershell
gci \\.\pipe\After obtaining a listing of named pipes, we can utilize
Accesschkto enumerate permissions assigned to a specific named pipe by reviewing the Discretionary Access List (DACL)The DACL will show us who has the permissions to modify, write, read, execute a resource
Lets review the LSASS process, we can also review the DACLs of all named pipes using the command
Now I did have to download the
accesschk.exetool from https://download.sysinternals.com/files/SysinternalsSuite.zip we can download the whole sysinternal suit
.\accesschk.exe /accepteula \pipe\.Reviewing LSASS Named Pipe permissions
.\accesschk.exe /accepteula \pipe\lsass -vresults
\\.\Pipe\lsass
Untrusted Mandatory Level [No-Write-Up]
RW Everyone
FILE_ADD_FILE
FILE_LIST_DIRECTORY
FILE_READ_ATTRIBUTES
FILE_READ_DATA
FILE_READ_EA
FILE_WRITE_ATTRIBUTES
FILE_WRITE_DATA
FILE_WRITE_EA
SYNCHRONIZE
READ_CONTROL
RW NT AUTHORITY\ANONYMOUS LOGON
FILE_ADD_FILE
FILE_LIST_DIRECTORY
FILE_READ_ATTRIBUTES
FILE_READ_DATA
FILE_READ_EA
FILE_WRITE_ATTRIBUTES
FILE_WRITE_DATA
FILE_WRITE_EA
SYNCHRONIZE
READ_CONTROL
RW APPLICATION PACKAGE AUTHORITY\Your Windows credentials
FILE_ADD_FILE
FILE_LIST_DIRECTORY
FILE_READ_ATTRIBUTES
FILE_READ_DATA
FILE_READ_EA
FILE_WRITE_ATTRIBUTES
FILE_WRITE_DATA
FILE_WRITE_EA
SYNCHRONIZE
READ_CONTROL
RW BUILTIN\Administrators
FILE_ALL_ACCESSwe can see from the output that only administrators have full access to the LSASS process
Named Pipes Attack example
searching for any named pipe that allows write access, we can use accesschk for this
.\accesschk.exe -w \pipe\* -vwe can see someting interesting in the output
\\.\Pipe\WindscribeService
Medium Mandatory Level (Default) [No-Write-Up]
RW Everyone
RW BUILTIN\Administrators
FILE_ALL_ACCESSwe can see the group
Everyonehas read or write access over this pipeFrom here we could leverage these lax permissions to escalate privileges on the host to SYSTEM
Last updated